[00:05.150 --> 00:10.090]  Sorry, I had to have some theme music for folks while we waited for our next talk.
[00:16.340 --> 00:20.740]  Chloe, could you broadcast your slides really quick?
[00:20.740 --> 00:24.760]  What I'll do is I will introduce you as you put them up there,
[00:24.760 --> 00:29.800]  and then we will have our staff kind of give you the go-ahead,
[00:29.800 --> 00:32.580]  and as soon as they do, I'll introduce you so they can make sure
[00:32.580 --> 00:35.080]  they have the stream lined up with things as they go.
[00:37.860 --> 00:39.160]  Can you hear me okay?
[00:40.220 --> 00:42.020]  Definitely. We can hear you pretty well.
[00:42.020 --> 00:45.800]  Okay. I was like, we had the push-to-talk feature for some of the talks.
[00:45.800 --> 00:49.020]  I was like, okay, I need to turn it off. I'm assuming at this point.
[00:49.880 --> 00:53.480]  Oh, yeah. This is going to be mostly you, so yeah.
[00:54.760 --> 00:59.040]  All right. And then let me put – you guys can see my screen already.
[00:59.040 --> 01:03.040]  Let me just put my video on for the very beginning here.
[01:04.280 --> 01:06.040]  Perfect. Hi.
[01:06.260 --> 01:07.020]  Hey.
[01:07.960 --> 01:09.000]  All right. There we go.
[01:09.000 --> 01:10.220]  Good to see you. Good to see you.
[01:10.220 --> 01:11.100]  Good to see you, too.
[01:11.100 --> 01:17.500]  All right. Let's see. Let me know, staff, when I can start – when we start,
[01:18.040 --> 01:22.520]  once you get the stream all going, and we will start as soon as that starts.
[01:22.660 --> 01:27.820]  Cool. Quick question. I want my video to be off.
[01:27.960 --> 01:31.120]  After I do – when I move from this slide to the next,
[01:31.120 --> 01:35.180]  could you guys control that, or do you want me to quickly go back into Discord
[01:35.180 --> 01:36.560]  and do that myself?
[01:36.840 --> 01:40.060]  I'd probably say if you can shut off the video on your end,
[01:40.060 --> 01:43.100]  so that way we can just ensure that things are being recorded.
[01:43.100 --> 01:48.000]  Sure. Yeah, and I'll just – so I'll just make sure that my camera is off now,
[01:48.000 --> 01:52.440]  and then I'll just turn it back on for Q&A so I can get out of the slides.
[01:52.440 --> 01:53.220]  Sound good?
[01:53.320 --> 01:57.160]  Yep. Can you put your slides on full screen really quick?
[01:57.520 --> 01:59.140]  Can you see it full screen?
[01:59.140 --> 02:02.860]  No, right now we see just the default PowerPoint.
[02:03.720 --> 02:04.520]  Huh.
[02:05.280 --> 02:06.720]  If you hit F5 –
[02:06.720 --> 02:14.600]  No, that's not it. That's weird. Can you see it now, the full screen?
[02:14.920 --> 02:18.400]  Right now, all we see are like the slide deck when you first go into –
[02:18.400 --> 02:18.960]  Yeah.
[02:19.160 --> 02:20.040]  Yeah.
[02:20.740 --> 02:23.480]  Huh. How about now? What do you see?
[02:24.040 --> 02:28.540]  Right now, we are seeing just the general slide deck.
[02:28.540 --> 02:29.980]  It's the presenter view.
[02:30.180 --> 02:35.360]  I wonder – it was doing that before.
[02:36.300 --> 02:37.380]  No worries.
[02:37.880 --> 02:38.960]  Huh.
[02:39.280 --> 02:43.840]  And for those folks that are currently on Twitch and are tuning in on Discord,
[02:43.840 --> 02:49.560]  give us a few seconds as we set up our stream, and we set up our slides really quick.
[02:49.560 --> 02:54.200]  So just sit tight, and we will start our presentation by Chloe in just a few.
[02:54.200 --> 02:55.640]  So hang in there.
[02:57.540 --> 03:00.460]  Looks like we've got a decent amount of Twitch folks on there.
[03:01.440 --> 03:05.380]  Okay. Let me try again. Maybe I just need to restart it.
[03:05.420 --> 03:06.720]  Sounds good.
[03:07.880 --> 03:09.320]  All right.
[03:11.540 --> 03:13.980]  All right. Can you see it full screen now?
[03:13.980 --> 03:19.680]  No. Right now, it shows play from start. We still see the presenter view.
[03:20.500 --> 03:21.800]  Oh, okay.
[03:27.630 --> 03:29.890]  That's so weird. I'm sorry, guys.
[03:29.890 --> 03:31.690]  No worries. No worries.
[03:32.430 --> 03:39.950]  What I would probably say is, if anything – do you have two monitors at the moment?
[03:40.110 --> 03:41.250]  I do.
[03:41.250 --> 03:47.690]  What I would do is share the – don't share the application. Share the monitor where the slide is going full view.
[03:48.710 --> 03:53.290]  Oh, okay. So this is on my laptop right now. Sorry. I have two computers next to me, though.
[03:53.730 --> 03:55.070]  I got you. I got you.
[03:56.470 --> 03:59.450]  Huh. That's weird.
[04:01.210 --> 04:02.010]  Crap.
[04:03.790 --> 04:07.590]  If you'd like, you can send me the slides and I can drive them.
[04:07.590 --> 04:11.350]  Okay. Yeah. And I'll just say next slide or whatnot.
[04:11.350 --> 04:12.410]  Sounds good.
[04:12.690 --> 04:15.270]  Okay. Where should I send it to?
[04:15.370 --> 04:19.250]  Here. I will direct message you my email really quick.
[04:22.840 --> 04:28.620]  Cool. So for folks that are tuning in on the Twitch stream, give us one quick second while we get Chloe's slides.
[04:28.620 --> 04:34.560]  I will drive them and we will go from there. So sorry, folks. Give us one second.
[04:34.560 --> 04:40.420]  Let me pop the – back in there. Let me turn that off.
[04:40.520 --> 04:47.260]  I hope everybody is doing pretty well today in the spirit of DEF CON.
[04:47.260 --> 04:48.940]  Welcome to the final day.
[04:48.940 --> 04:55.180]  Let me go to Gmail.
[05:06.800 --> 05:12.560]  So for those of you that just joined, give us one quick second as we set up our slides.
[05:12.860 --> 05:19.180]  We are starting the stream just shortly. Give us one quick second while we go and do that.
[05:45.860 --> 05:49.240]  That is correct. I think we should get that beach ball.
[06:19.930 --> 06:26.070]  So while the slides are being sent, for those of you that were on the call at the last presentation,
[06:26.070 --> 06:34.030]  we had Michael Antonino that was kind of talking a little bit about blackmail and disclosure and a few other things.
[06:34.030 --> 06:39.590]  So it's pretty nice because Chloe's talk will kind of talk a little bit about that, about the hacker's rights.
[06:39.590 --> 06:43.790]  It's a nice segue kind of moving into her talk.
[06:43.790 --> 06:52.110]  For those of you that have just tuned in or have just joined us at DEF CON 28, Ethics Village 2020,
[06:52.110 --> 06:56.750]  what I'd probably say is if you have any questions during the talk, please queue them up.
[06:56.810 --> 07:04.050]  We are watching the Twitch chat room and we are also watching Discord as well.
[07:04.170 --> 07:06.830]  So any questions you all have, please queue them up.
[07:06.830 --> 07:10.610]  I will either relay them to Chloe or Chloe will see them in the chat.
[07:10.610 --> 07:14.530]  So yeah, just hang in there and we will get started just shortly.
[07:14.530 --> 07:18.950]  So thank you all for coming for this final talk.
[07:18.950 --> 07:22.030]  All right, let me see if I can open them now. I'll be right back, folks.
[08:32.390 --> 08:34.270]  Okay, and we are back.
[08:34.390 --> 08:42.110]  For those of you, so I would say, staff, can you please switch the screen really quick to mine?
[08:42.110 --> 08:50.550]  And I would say, Chloe, you might want to stop presenting the live or stop sharing your screen.
[08:50.550 --> 08:52.190]  So that way, just in case.
[08:59.160 --> 09:00.600]  Perfect, perfect.
[09:00.840 --> 09:06.540]  And I will ask, let me move back to the chat really fast.
[09:06.540 --> 09:08.080]  One quick second.
[09:08.820 --> 09:12.360]  So our staff, Ethics Village staff, are we ready to start the stream?
[09:12.960 --> 09:15.300]  Give me a thumbs up if we are good.
[09:19.240 --> 09:22.700]  Oh, one quick second, one quick second. Things are being queued up.
[09:31.810 --> 09:35.150]  Chloe, I might be butchering your last name. How do you pronounce your last name?
[09:35.250 --> 09:36.550]  Miss Doggy.
[09:36.750 --> 09:38.130]  Miss Doggy, yeah, okay.
[09:38.130 --> 09:39.210]  There we go.
[09:40.210 --> 09:44.290]  I've been butchering people's names all day for the past two days, so yeah.
[09:44.310 --> 09:49.610]  I do this trick where I just say their first name and then I'm like, okay, go ahead and introduce yourself.
[09:49.610 --> 09:53.430]  No, no, I must go through the pain. I must learn everybody's name.
[09:53.430 --> 09:56.830]  Because I'm just like, no, I have to say it.
[09:56.830 --> 10:00.630]  Although, yeah, yesterday I butchered some poor speaker's name.
[10:00.630 --> 10:01.950]  I'm like, I am so sorry.
[10:02.770 --> 10:07.630]  I'm from the Midwest, and the Midwest is unfortunately very, very bland.
[10:10.730 --> 10:11.610]  Right.
[10:12.870 --> 10:15.370]  All right, Ethics Village staff, what do you all say?
[10:15.370 --> 10:17.190]  We good to start?
[10:18.070 --> 10:19.830]  Let me double check.
[10:21.830 --> 10:25.630]  I'm just going to say next slide. What is next slide? Sound good?
[10:25.750 --> 10:28.690]  Perfect for me. And we are good to go. Thank you all.
[10:28.690 --> 10:33.650]  Oh, wow, we've got a lot of people on Twitch, and we have a lot of folks over on Discord.
[10:33.650 --> 10:36.530]  So now I will introduce our speaker.
[10:36.950 --> 10:43.490]  So hi, everybody. Welcome to the final live talk of DEF CON Ethics Village 2020.
[10:43.490 --> 10:46.690]  So today with us we have Chloe, Miss Doggy.
[10:46.690 --> 10:50.670]  Chloe is the VP of Strategy at Point3 Security.
[10:50.670 --> 10:56.730]  She is a researcher advocate who strongly believes that information security is a humanitarian issue.
[10:56.730 --> 11:02.890]  Besides her passion to keep people safe and empowered online and offline,
[11:02.890 --> 11:05.050]  she's driven to fight for hackers' rights.
[11:05.050 --> 11:10.750]  She is the founder of Women Hackers and the president and co-founder of Women of Security, or WOWSEC,
[11:10.750 --> 11:16.110]  podcaster for ITSP magazines, The Uncommon Journey, and runs the Hacker Book Club.
[11:16.110 --> 11:19.350]  So in all fairness, folks, check out the Hacker Book Club.
[11:19.350 --> 11:21.770]  They've got some pretty cool suggestions in there.
[11:21.830 --> 11:24.550]  You can tweet her at ChloeMissDoggy.
[11:24.550 --> 11:26.350]  And yeah, we will go from there.
[11:26.350 --> 11:29.810]  And without further interruptions, Chloe, all you.
[11:30.150 --> 11:33.730]  Excellent. Thanks, everyone. I hope everyone is enjoying their Sunday.
[11:33.730 --> 11:40.990]  And I guess good afternoon, good evening, or good early, early morning, depending on where you are.
[11:41.310 --> 11:45.090]  Let's dive into this. So let's go to the next slide.
[11:49.490 --> 11:56.650]  All right. So I just want to say that this talk is completely dedicated to all the hackers who've been scared to disclose,
[11:56.650 --> 12:01.890]  to all the hackers who've been prosecuted for doing something good or doing their actual job, believe it or not,
[12:01.890 --> 12:05.650]  and to all the people who are in the fight to bring rights for hackers.
[12:05.650 --> 12:11.530]  And there's many of us basically behind scenes doing whatever we can to make changes.
[12:11.730 --> 12:16.390]  But this talk is going to be good for you because you get to find out how you can also help.
[12:16.390 --> 12:27.300]  Next slide. So once again, my name is Chloe Mostagi. I am the VP of Strategy over at Point3Security.
[12:27.300 --> 12:32.540]  I'm an ethical hacker advocate. Basically, I'm fighting for hacker rights,
[12:32.540 --> 12:35.860]  and especially trying to help out the community in any sort of way.
[12:35.860 --> 12:42.240]  If that means trying to push out mental health issues, if that means bringing diversity and inclusion
[12:42.240 --> 12:48.320]  and doing whatever I can to promote others in the field that are trying to do something good, I do so.
[12:48.320 --> 12:51.920]  Also a person co-founder at Urbosec. We have hackers all over the world.
[12:52.180 --> 12:55.640]  Founder of WeAreHackers, formerly known as WomenHackers.
[12:55.640 --> 13:01.000]  We are a private group of hackers who hack at all different levels that are marginalized genders.
[13:01.420 --> 13:06.220]  Also a podcaster for ITSP Magazine, The Uncommon Dream with Phil Wiley and Alyson Miller.
[13:06.220 --> 13:09.040]  And when I'm not doing that, I run the Hacker Book Club.
[13:09.840 --> 13:15.080]  And so one thing you should know about it, we meet every week virtually at 5 p.m. Pacific Time.
[13:15.080 --> 13:23.120]  We do read one book every month, and usually the books are written by hackers in the community or about the hacker community.
[13:23.280 --> 13:28.420]  And the authors do attend our sessions, and also people that are mentioned in the book do attend our sessions.
[13:28.420 --> 13:35.600]  We will be doing Trevor Packer's Red Team Edition. That's going to be coming up next, so I highly recommend it.
[13:35.600 --> 13:39.920]  That is my URL. If you want to know anything about me, it's probably on there.
[13:40.020 --> 13:42.800]  And I do have a Twitter and Instagram. My DMs are always open.
[13:42.800 --> 13:44.280]  All right, next slide.
[13:47.650 --> 13:52.090]  So I know this is going to be scary, but we're going to dive in it together.
[13:52.410 --> 13:53.410]  Next slide.
[13:58.860 --> 14:05.160]  So usually at this point, I say, like, oh, raise your hand if the Equifax breach impacted you.
[14:05.160 --> 14:09.400]  But the thing is, you're behind your screen, so I'm just going to pretend you raised your hand.
[14:09.560 --> 14:18.440]  But did you know a security researcher warned Equifax that it was vulnerable to a kind of attack that later compromised the personal data of more than 147 million Americans?
[14:19.320 --> 14:25.060]  Six months after the researcher first notified the company about the vulnerability, Equifax patched it,
[14:25.060 --> 14:31.840]  but only after the massive breach that made headlines had already taken place, according to Equifax's timeline.
[14:32.780 --> 14:34.300]  Next slide.
[14:37.900 --> 14:40.160]  And then we have the case of Capital One.
[14:40.160 --> 14:45.220]  According to the federal complaint, the breach took place in stages across March and April 2019.
[14:45.220 --> 14:57.920]  But Capital One only became aware of the problem on July 17, when a security researcher tipped the company to a public GitHub page that was displaying something that looked an awful lot like private Capital One data.
[14:58.200 --> 14:59.500]  Next slide.
[15:03.590 --> 15:08.090]  But the real question is, well, what if no one reported the breach?
[15:08.250 --> 15:09.670]  Next slide.
[15:13.640 --> 15:19.100]  It happens often because hackers don't report a breach due to the fear of prosecution.
[15:19.100 --> 15:28.020]  This statistic was discovered by the hard work of Amit Elazari, who knows her laws prevent good hackers from doing what they do best, protecting you and me and everyone we love.
[15:28.080 --> 15:31.100]  She's been spearheading this movement towards safe harbor.
[15:31.100 --> 15:49.760]  And according to HackerOne's 2018 hacker report, which surveyed over seven, I think, 60 members or something like that of the hacking community, they found that almost one in four ethical hackers have not reported vulnerability because the company in question didn't have a VDP, a vulnerability disclosure program.
[15:50.060 --> 15:57.740]  Those who tried to notify the company through other channels, such as email or social media, also claimed they were frequently ignored or misunderstood.
[15:58.500 --> 16:00.020]  Next slide, please.
[16:03.320 --> 16:11.000]  So besides prosecution, looking for contact information and reading the policies have been a burden to report vulnerabilities. Think about it.
[16:11.000 --> 16:15.840]  Sometimes it takes hours, days, and weeks to find the right contact information to disclose.
[16:16.160 --> 16:25.620]  And I have to admit, it's really difficult because at that point, you're like, should I even disclose anything if I can't locate the right person?
[16:25.620 --> 16:35.500]  And that's a very frustrating thing because you're trying to protect their customers' data, usually, and letting them know ahead of time that there is this vulnerability.
[16:35.500 --> 16:38.700]  But reporting it can be so hard.
[16:38.700 --> 16:59.300]  So it's really good and important for companies to state having some sort of in-scope, out-scope policies, and then also contact information, what to expect when reporting, if there are any rewards at all, to mention what kind of rewards could be given.
[16:59.300 --> 17:05.960]  But having some sort of policies in place that protects the hacker by notifying them about the situation.
[17:05.960 --> 17:16.000]  But it's not just, you know, hackers online that are having to worry about being prosecuted. Also, those that are doing physical security as well.
[17:16.000 --> 17:20.740]  Even if they're hired to do that job, they can still get prosecuted.
[17:20.900 --> 17:22.640]  Next slide, please.
[17:25.840 --> 17:30.980]  So after DJI, the drone manufacturer recently launched a bug-bunny program.
[17:30.980 --> 17:33.200]  Two researchers named Sean and Kevin.
[17:33.280 --> 17:42.920]  For the scope, the bug-bunny program covers all the security issues confirmed by our application servers, including source code leak, security workaround, privacy issue.
[17:42.920 --> 17:46.040]  And Kevin emailed them to confirm the scope to be safe.
[17:46.040 --> 17:49.280]  It took them two weeks to finally confirm the scope.
[17:49.280 --> 17:51.160]  He then reported the vulnerability.
[17:51.160 --> 18:00.080]  However, when he reported, he was provided with $30,000 for the finding, but the agreement in receiving it offered no legal protection for him.
[18:00.080 --> 18:02.020]  So he decided to walk away.
[18:02.080 --> 18:10.740]  The revelations resulted in the company challenging his findings and seemingly threatening one with a lawsuit tied to the Computer Fraud Abuse Act, CFA.
[18:10.740 --> 18:16.760]  Claiming he went out of scope, regardless to the fact that he made sure to confirm that he was within scope.
[18:16.760 --> 18:27.280]  And in return, because it was getting so bad with basically giving him a lawsuit, he decided to post the entire situation with all the conversations with DJI publicly.
[18:27.400 --> 18:40.880]  I think one of my favorite things, if you look at the blog post, is that in the chain you'll see that there was a moment where the people at DJI didn't know he was cc'd on...
[18:40.880 --> 18:47.900]  Well, not cc'd, but there was a chain in the email, and in it, it said, like, this guy is going to cause us a problem.
[18:47.960 --> 18:51.840]  We need to take initiatives, legal initiatives on it.
[18:51.840 --> 19:00.200]  And when he got the email from them about something else, he scrolled down and he saw, like, the internal conversations happening around him.
[19:00.200 --> 19:10.040]  So it's really good to read, and it gives you, once again, one of those moments where you realize, even when you're in the good, you have these situations that occur.
[19:10.580 --> 19:12.240]  Next slide, please.
[19:16.200 --> 19:21.960]  This is another case. So this is a case in September of last year.
[19:22.000 --> 19:31.240]  Basically, Iowa State asked the cybersecurity firm CoalFire to conduct a penetration test to see if its staff could gain access to sensitive data or equipment.
[19:31.320 --> 19:41.220]  So two CoalFire employees found a door to the Dallas courthouse open, and when they closed the door to see if it would lock and then attempted to open it, an alarm was set off.
[19:41.220 --> 19:47.760]  Following the protocol, the employees waited for the police to arrive and show them their paperwork that they were legally hired.
[19:48.400 --> 19:58.320]  Initially, they were told they were good to go by the police. However, the sheriff showed up and arrested them, and they ended up having to spend a night in jail.
[19:58.460 --> 20:09.300]  There were charges for burglary, which is just so upsetting in so many ways, but they were later dropped in the late January 2020.
[20:09.300 --> 20:16.760]  This is one of those examples of why a good, you know, a good cemetery in law that would protect their industry.
[20:17.660 --> 20:27.120]  Basically, if their industry appears from any kind of prosecution and that people are still not, you know, reading up on the differences between ethical hacker and attackers.
[20:27.180 --> 20:37.380]  So it's important to notice is that even, you know, even physical security still has issues too, as well in this situation.
[20:37.380 --> 20:39.300]  Next slide, please.
[20:43.240 --> 20:55.000]  Overall community consensus here is that language of what is in scope, out of scope, when disclosing, or how do I disclose can be so scary, and potential indictments especially. It can keep both parties awake at night.
[20:55.200 --> 21:02.180]  And I'll tell you it does for me, of course. I mean, there are program managers asking to be hacked, but not to get hacked badly.
[21:02.320 --> 21:07.460]  And how to conduct and handle situations where researchers report something is another fear of theirs.
[21:07.460 --> 21:12.980]  But overall, organizations and government all know that it's probably needed at this time.
[21:13.060 --> 21:19.280]  And that's why they do work with the hacker community, right? You have like Hack the Pentagon, Hack the Army.
[21:19.280 --> 21:26.720]  You even have them hiring like coal fire employees to go and test their sites to see if they're safe.
[21:26.720 --> 21:29.820]  So overall, people are aware that they need to work with us.
[21:29.820 --> 21:41.920]  It's just that there's this thing going on behind, which is like these really unchecked beliefs about the hacker community and that hackers are criminals.
[21:41.920 --> 21:45.780]  And it's very sad because it keeps us from moving forward every day.
[21:46.160 --> 21:47.620]  Next slide, please.
[21:51.360 --> 21:54.080]  And I know this is a very scary subject.
[21:54.900 --> 21:59.960]  But here are some puppies to lift your spirits. And of course, I place a cat for cat lovers as well.
[21:59.960 --> 22:02.080]  So take a moment to enjoy it.
[22:02.820 --> 22:04.540]  Next slide, please.
[22:08.600 --> 22:12.580]  So the real question is, why do they continue to be scared of us?
[22:12.580 --> 22:18.200]  Well, even though ethical hackers are not malicious actors, they're still being seen and treated as such.
[22:18.200 --> 22:26.480]  And because of this, it reduces the chances of reporting a vulnerability and can cause hackers to go more towards the dark side because they're seen as the same.
[22:26.480 --> 22:31.820]  So if you can see in the imagery to the left is what you see when you type in criminal hackers.
[22:31.940 --> 22:35.340]  And on the right is what you get when you type in ethical hackers.
[22:35.340 --> 22:46.820]  Once again, there's like this hoodie, this darkness, sometimes with a ski mask, basically still portraying us as these dark, devious people that are doing malicious things.
[22:47.320 --> 22:48.540]  Next slide, please.
[22:52.090 --> 22:54.810]  But I want to let you guys know it's not just the imagery.
[22:54.810 --> 22:56.590]  It's also language used in the media.
[22:56.590 --> 22:59.590]  And when I say media, I mean marketing in the press.
[22:59.590 --> 23:08.090]  Using the term hacker as someone as a criminal when they should be using the term attacker or cyber criminal, malicious actor, and so on.
[23:08.350 --> 23:09.750]  Next slide, please.
[23:13.610 --> 23:17.170]  So how does this imagery and language impact us?
[23:17.270 --> 23:22.590]  It continues to feed the fear and stereotypes and biases that exist through social construction.
[23:22.590 --> 23:31.450]  And we're going to have to dive into the brain to understand how does social construction believes us and how it works exactly.
[23:31.450 --> 23:32.370]  Next slide.
[23:35.720 --> 23:43.120]  So if any of you guys have ever attended any of my previous talks, I usually always bring up the brain because I have an obsession with the brain.
[23:43.220 --> 23:45.780]  Because that's how we understand the human element.
[23:45.780 --> 23:51.580]  And the human element plays a huge role when it comes to getting rights, but also within InfoSec itself.
[23:51.580 --> 23:57.760]  So what I want you guys to understand is there is three parts.
[23:57.760 --> 24:02.280]  So the first part is around how do we collect fear?
[24:02.700 --> 24:19.360]  So socially constructed beliefs are beliefs that you were told as a child or as an adult from someone that you look up to or someone with knowledge or on the news or in images or in movies or TV shows.
[24:19.360 --> 24:24.060]  These things feed into basically creating beliefs.
[24:24.060 --> 24:29.560]  Now, the thing is that a lot of people know of the amygdala as this fight versus flight mechanism.
[24:29.560 --> 24:36.280]  But what they don't really understand is that it's more like sorting who is like me and who is not like me.
[24:36.480 --> 24:44.980]  So when they see something or they're told something that, say, for example, someone with pink hair are dangerous individuals.
[24:45.520 --> 24:48.760]  They might not say that directly, but indirectly.
[24:48.760 --> 24:59.640]  So by watching movies, every time you see someone with pink hair, they're seen as the villain, the criminal, or they might use the term, you know, when they see someone with pink hair.
[24:59.940 --> 25:05.100]  And this is also in the news. Maybe you had a teacher, a parent or friends.
[25:05.100 --> 25:10.340]  They like people with pink hair are dangerous and it's best for you to cross the street or whatnot.
[25:10.400 --> 25:18.120]  So every time you see someone with pink hair, you might clutch your purse a little bit tighter or you might cross the street to avoid the person with pink hair.
[25:18.120 --> 25:22.120]  Or you might get out of an elevator when you see someone with pink hair get on.
[25:23.780 --> 25:31.400]  And that's the one thing. The one thing you should take away from that example right now is that the person literally just only has pink hair.
[25:31.400 --> 25:39.880]  There's really no difference. But the thing is, is that you've been indirectly told to believe that people with pink hair are dangerous.
[25:41.500 --> 25:48.260]  So the thing to know about the amygdala is that it works with the memories within your temporal lobe.
[25:48.260 --> 25:53.460]  And because your temporal lobe is there, also emotions are connected to your memories.
[25:53.460 --> 26:06.280]  So whenever there's a fear moment, your amygdala will be lit up and the amygdala will basically be like, OK, we are under a threat right now and we need to do something about this.
[26:06.280 --> 26:12.660]  And so what happens is the amygdala subconsciously sends next a message to the prefrontal cortex.
[26:12.700 --> 26:14.560]  Next slide, please.
[26:19.240 --> 26:27.260]  So once it gets to the prefrontal cortex, it's checking in to see whether or not this thing is actually a threat.
[26:27.260 --> 26:34.040]  This is the only time that you can actually consciously question any action before taking action.
[26:34.040 --> 26:41.820]  So, for example, you see someone with pink hair and your amygdala is like, warning, warning, pink hair person behind you.
[26:41.980 --> 26:45.120]  What should we do? And sends it to the prefrontal cortex.
[26:45.120 --> 26:49.100]  The prefrontal cortex is thinking, OK, I can do this action. I can do that action.
[26:49.100 --> 26:53.860]  I could go inside the store. I can cross the street. I can walk a little bit fast.
[26:53.940 --> 27:00.480]  I can make sure that I have my phone dialed 911 in case of emergency because this person has pink hair.
[27:00.480 --> 27:03.320]  I just want to remind you just because this person has pink hair.
[27:03.320 --> 27:09.500]  This socially constructed beliefs are, you know, are stored in your memory and whatnot.
[27:09.500 --> 27:12.240]  But the prefrontal cortex acts like the CEO of your brain.
[27:12.240 --> 27:15.700]  It's basically saying whether or not it is an actual fear.
[27:16.160 --> 27:22.300]  Now, the thing is, is that, say, for example, you've been told all these things about people with pink hair are dangerous.
[27:22.680 --> 27:27.280]  And what you do is that you're on YouTube and you come across a video.
[27:27.280 --> 27:38.420]  And there's in this video, it's someone with pink hair talking about basically how everyone always sees them as a criminal and how they can't get a job because people treat them differently.
[27:38.860 --> 27:49.480]  And that they don't understand because why are they always picked on as the criminal in movies or in the news when in reality, it's just having pink hair.
[27:49.480 --> 27:58.440]  And how it's caused them to have a very, very negative impact in their life because of people's perceptions of them.
[27:58.940 --> 28:10.120]  So when you saw that video on YouTube of the person with pink hair explaining these things, next thing you know is that there's a part of you that's like, huh, I wonder if I've ever done that.
[28:10.120 --> 28:12.500]  I think I may have done that before.
[28:13.460 --> 28:27.140]  So the thing to note about is that from hearing people's personal stories and hearing other sides and different perspectives, what you're supposed to be doing is challenging your belief system.
[28:27.140 --> 28:34.960]  But you have to be okay with being uncomfortable because we don't like to be wrong most of the time as humans. We see it as a weakness of ourselves.
[28:34.960 --> 28:38.560]  And we want to constantly come off as being the strong person.
[28:38.560 --> 28:50.060]  And so the thing is, is that because you saw the video with pink hair, and you're walking down the street, and you see that there's someone with pink hair like crosses the street and now is walking next to you.
[28:50.080 --> 28:58.220]  A part of you is like, your amygdala is going off, like, warning, warning, pink hair person's right next to you. You should be freaking out. What should you do? You need to take an action.
[28:58.280 --> 29:02.920]  And your prefrontal cortex is like, okay, I'll just tie my purse a little bit closer.
[29:02.920 --> 29:06.300]  But in reality, that video pops up in your head.
[29:06.300 --> 29:10.080]  And you're reminded of this personal story, the person with pink hair.
[29:10.320 --> 29:16.100]  And you realize at that very moment, you're about to practice some sort of discrimination.
[29:16.700 --> 29:25.000]  And you freeze in that moment, recognizing that, and decide, I'm not going to clutch my back. I'm not going to be that person.
[29:25.960 --> 29:27.480]  Next slide, please.
[29:32.630 --> 29:38.530]  And that's the thing I want to take away from this, is that personal stories are really important.
[29:38.530 --> 29:45.530]  Sharing the truth and fact-checking is so critical, more than ever before.
[29:45.530 --> 29:55.630]  And just note that people can be totally challenged on socially constructed beliefs, because we have to retrain ourselves to be okay with the person with the pink hair.
[29:55.890 --> 30:02.550]  Now, I want you all to think of, this is how basically our society also sees, you know, hackers in some ways, right?
[30:02.550 --> 30:08.650]  In movies, they show hackers as the bad people, the evil people. They're doing malicious things.
[30:08.650 --> 30:16.090]  The news, they report the term hackers, and they use it, once again, to showcase that the hacker community are bad people.
[30:16.090 --> 30:25.330]  The thing is, they're not differentiating between a criminal and someone who's ethically doing something to protect people.
[30:25.330 --> 30:36.890]  And because that they keep showing this imagery of a devious person with a hoodie or with a ski mask, we're still getting set up for our community to be looked at in a bad way.
[30:36.890 --> 30:41.590]  And that is how it's preventing so many good things from happening for us.
[30:41.970 --> 30:46.490]  And so it's so important for us to understand how our brain works.
[30:46.490 --> 30:53.330]  And note that you can always, always question beliefs, and you can always get people to question their beliefs of you.
[30:53.330 --> 30:59.850]  It's just fact-checking them, sharing personal stories that change people's mindset.
[30:59.850 --> 31:02.670]  And we need that more than ever before.
[31:03.130 --> 31:04.790]  Next slide, please.
[31:07.790 --> 31:21.530]  Because what's happened is, due to this situation, the mindset set by society, by people in the media, it's keeping us unsafe and preventing us from doing what we do well and trying to protect people.
[31:21.530 --> 31:34.730]  Making sure that the customers are protected, the personal identifiable information is somewhere that's stored in a safe, secure place where it doesn't come out, especially hospital records.
[31:34.790 --> 31:42.690]  These are all scary things to ever come out in public, and that's what we're trying to do our best in, is to show that there are criminals.
[31:42.750 --> 31:48.370]  But we're not criminals. We're there to save and help and prevent situations from occurring.
[31:49.030 --> 31:57.610]  But the issue is, is because of the mindset, the public perception of who we really are, and if you're like, wait, Chloe, how do I know if that's the case?
[31:57.610 --> 32:02.830]  I mean, okay, you guys, let's be real. When you tell someone you're a hacker, what do they do?
[32:02.950 --> 32:06.990]  They usually take a step back, right? Their mouth drops, their eyes get a little bit bigger.
[32:07.230 --> 32:12.650]  Yeah, exactly. Because it still is there, this belief of us.
[32:12.650 --> 32:19.330]  But the thing is, is that this is one of the reasons why a lot of companies don't have vulnerability disclosure programs.
[32:20.050 --> 32:25.770]  We still have 94% of Forms Global 2000 still don't have a VDP.
[32:26.250 --> 32:37.230]  And that's really scary, because companies are still afraid of hackers, and they don't want to create vulnerability disclosure policies because of the lack of bilateral trust amongst hackers and organizations and government.
[32:37.230 --> 32:40.910]  It's one of the reasons why 60% do not report vulnerability.
[32:41.550 --> 32:46.310]  And hackers are scared of outdated laws such as CFA and DMCA.
[32:46.430 --> 32:57.830]  Also, from interviewing attackers, one of the reasons they decide to move away from hacking ethically is the pay and the constant word of being prosecuted, regardless if they did something legal.
[32:57.830 --> 33:02.410]  And this is also said similarly by those who switch from being an attacker to a hacker.
[33:02.410 --> 33:13.130]  The reason they switched was the insomnia of being arrested, because there are so many cases when an organization prosecutes an ethical hacker, regardless if they were in scope that we saw earlier today.
[33:13.870 --> 33:15.130]  Next slide, please.
[33:19.310 --> 33:25.110]  Which leads us to needing to dive into the current legislation that can be found in most countries towards hackers.
[33:25.310 --> 33:31.910]  We have anti-hacking laws, anti-circumvention laws, these are known as the copyright type of laws, and acceptable use policy.
[33:33.050 --> 33:35.310]  Let's first dive into anti-hacking laws.
[33:35.310 --> 33:39.470]  Overall, they're usually used when a researcher goes out of scope.
[33:39.470 --> 33:41.910]  It's usually the act used to prosecute hacking.
[33:42.110 --> 33:55.070]  But to give you a little bit of background on CFA, the Computer Fraud Abuse Act is a U.S. cybersecurity bill that was enacted in 1984 as an amendment to existing computer fraud law, which has been included in the Comprehensive Crime Control Act of 1984.
[33:55.290 --> 34:00.610]  The law prohibits accessing a computer without authorization or in excess of authorization.
[34:01.490 --> 34:06.010]  Random fact here is, who has heard the movie War Games?
[34:06.910 --> 34:13.730]  Now, did you know that Ronald Reagan, he watched the movie, and he freaked out completely about hackers.
[34:13.730 --> 34:16.010]  He was like, oh my god, we have to do something.
[34:16.010 --> 34:19.670]  And that's how CFA happened, was because he watched War Games.
[34:19.670 --> 34:21.910]  Which is sad, because I love that movie, you guys.
[34:21.910 --> 34:24.030]  It was an awesome movie, but still.
[34:25.350 --> 34:28.670]  Let's dive into anti-circumvention laws, the copyright type of laws.
[34:28.670 --> 34:32.370]  If you're in Canada, it's actually called just the Copyright Act.
[34:32.790 --> 34:36.370]  But in the U.S., we call it the Digital Millennium Copyright Act, DMCA.
[34:36.910 --> 34:51.130]  It was formed in 1998, the U.S. copyright law that implements two 1996 treaties, the World Intellectual Property Organization, WIPO, basically seen as the right to repair, reverse engineering as a breach of property to companies.
[34:52.210 --> 34:54.610]  Now, let's go into acceptable use policy.
[34:54.610 --> 35:02.670]  Quick question, who here in the room has ever read their terms and conditions for, say, for example, an Apple product?
[35:03.170 --> 35:09.310]  Yeah, okay, so I tried. I got really bored, and I decided to watch a movie instead.
[35:09.310 --> 35:11.670]  But in general, they can be long and too much verbiage.
[35:11.670 --> 35:15.190]  It can confuse anyone, especially if English is not their first language.
[35:15.190 --> 35:21.050]  This can lead to some serious miscommunication issues for ethical hackers that don't really speak English as their first language.
[35:22.110 --> 35:25.670]  Clearly, these laws are out of date.
[35:25.670 --> 35:27.730]  And honestly, they were created out of fear.
[35:27.730 --> 35:31.630]  And remember, we learned everything about fear and how it works in the brain, right?
[35:31.930 --> 35:35.770]  There was no empathy by taking the time to understand what is truly needed.
[35:35.770 --> 35:37.050]  It was rushed.
[35:37.130 --> 35:43.190]  It wasn't... not all the people that that would affect were represented in that room.
[35:43.190 --> 35:54.810]  And that's the issue we have today in so many things, is that without decent representation, having an equal voice, how are any laws supposed to help people?
[35:54.810 --> 35:57.530]  You have to have all the players in the room.
[35:57.770 --> 36:06.430]  And this is why these laws are prosecuting not just malicious actors, but also the really good people out there, the ethical hackers.
[36:07.390 --> 36:09.130]  Next slide, please.
[36:12.790 --> 36:18.730]  Overall takeaway is that laws prevent good hacking in the same way they prevent attackers.
[36:18.730 --> 36:20.850]  And we need good hacking.
[36:21.090 --> 36:21.890]  Next slide.
[36:27.650 --> 36:30.710]  So, I really do hate the CFA.
[36:30.710 --> 36:34.170]  And I'm going to tell you the reasons why you should too.
[36:34.790 --> 36:44.630]  So, the Computer Fraud Abuse Act, once again, which was passed in 1984, and I keep reinstating this year for you to remember and recognize that this is so out of date.
[36:44.630 --> 36:45.990]  We're in 2020.
[36:45.990 --> 36:48.410]  But just remember that.
[36:48.550 --> 37:01.310]  Has grown wildly outdated in that it offers prosecutors discretion to throw in huge potential fines and jail sentences for relatively undeserving violations of computer policy.
[37:01.310 --> 37:07.370]  First, the CFA, as written, punishes exceeding authorized access to a protected computer.
[37:07.370 --> 37:13.240]  It's a phrase that's so vague to inspire any type of some broad interpretations.
[37:13.240 --> 37:19.440]  Another flaw in the CFA is the redundant provisions that enable a person to be punished multiple times for the same crime.
[37:19.480 --> 37:28.020]  These charges can be stacked on one on top of another, resulting in a threat of a higher cumulative fines and jail time for the exact same violation.
[37:28.380 --> 37:37.120]  This allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single solitary act.
[37:37.120 --> 37:40.100]  It also plays a significant role in sentencing.
[37:40.140 --> 37:51.060]  The ambiguity of a provision meant to toughen sentencing for repeat offenders of the CFA may, in fact, make it possible for defendants to be sentenced based on what should have been our prior convictions.
[37:51.060 --> 37:56.320]  But we're nothing more than multiple convictions for the same exact crime.
[37:58.040 --> 38:05.320]  This is one of those things that it's just so overwhelming how this still exists and it hasn't changed.
[38:05.320 --> 38:15.700]  But I want you guys to know we're going to dive into Aaron Swartz's case because we need to for this to understand how this could be used to hurt someone so much.
[38:15.840 --> 38:22.040]  But I want you guys to also note is that the CFA also gives companies the right to sue.
[38:22.340 --> 38:31.120]  And I want to let you guys know that I think hackers have more to fear from companies and states right now than the actual Justice Department at this time.
[38:31.120 --> 38:34.080]  Things have changed a lot since 2014.
[38:34.080 --> 38:41.760]  Since 2014, the DOJ has been working to try to prevent these situations from occurring on the federal side.
[38:41.760 --> 38:45.140]  But just please note that companies and states can definitely do these kind of things.
[38:45.140 --> 38:48.800]  So you want to be a little bit more careful when it comes to companies and states.
[38:48.800 --> 38:54.820]  Those are kind of the ones that threaten you more than, you know, having to worry about federal.
[38:55.080 --> 38:56.320]  Next slide, please.
[38:59.400 --> 39:09.640]  If you guys are not familiar with Aaron Swartz's case, it's something that is definitely a case study to consider when revisiting the CFA.
[39:09.740 --> 39:19.700]  So in 2011, Carmen Ortez, the U.S. Attorney's Office, charged Swartz with hacking into MIT's computer network to download millions of scholarly articles from JSTOR.
[39:20.000 --> 39:26.740]  It was an act of civil disobedience meant to protest the restrictive access to research funded by taxpayers.
[39:26.740 --> 39:33.960]  For this, the U.S. Attorney brought charges that carried a maximum penalty of 35 years in prison and $1 million in fines.
[39:34.300 --> 39:42.100]  I want to pause right there because the thing to note about was that 35 years in prison was the maximum penalty that he can get.
[39:42.180 --> 39:46.980]  I want you to understand a first degree murder charge is 25 years.
[39:47.880 --> 39:53.500]  It just doesn't seem right. I don't know. Just logically in my mind, that just doesn't sound right.
[39:53.500 --> 40:02.560]  Anyway, going back to this, they were able to charge such years because of the way that CFA is written and the issues that have yet to be sorted since it was made into a law.
[40:02.560 --> 40:05.820]  Remember that stack on stack thing? Right.
[40:06.160 --> 40:16.160]  Overall, looking at Aaron's situation, the sad thing was that he was dealing with a 17 month legal battle, one that had no set trial date and wasn't ending anytime soon.
[40:16.160 --> 40:19.520]  And through Swartz's perspective, it must have been so overwhelming.
[40:19.520 --> 40:26.780]  With the future of the legal battle cast into doubt, Swartz hung himself in his apartment on January 11, 2013.
[40:27.060 --> 40:30.580]  And following his death, federal prosecutors went on to drop the charges.
[40:30.960 --> 40:36.500]  His family said it was the government's prosecution that contributed to his decision to take his own life.
[40:37.660 --> 40:39.140]  Next slide, please.
[40:42.080 --> 40:51.860]  It was because of the situation that happened to Aaron that legislators came together thinking we need to do something about this.
[40:51.960 --> 40:56.660]  Unfortunately, Aaron's law did not pass, but it was a good start.
[40:56.660 --> 41:18.680]  Aaron's law basically was trying to remove the phrase exceeds authorized access and replace it with access without authorization, which is defined as to obtain information on a computer that the accessor lacks authorization to obtain by knowingly circumventing technological or fiscal measures designed to prevent unauthorized individuals from obtaining that information.
[41:18.680 --> 41:30.440]  In other words, it basically would also ensure people won't face criminal liability for violating terms of service agreements and contracted agreements, but also it limits the penalties.
[41:30.440 --> 41:34.320]  In other words, there was no more duplicated charges that he was facing.
[41:34.800 --> 41:36.620]  Next slide, please.
[41:41.490 --> 41:44.130]  Let's dive a little bit into the DMCA.
[41:44.130 --> 41:47.290]  So the DMCA was passed in 1998.
[41:47.290 --> 41:50.370]  And remember, reminding you this year is 2020.
[41:50.370 --> 41:52.270]  That was in 1998.
[41:52.290 --> 41:53.550]  Hasn't been any changes.
[41:53.550 --> 41:54.690]  So let's keep going.
[41:54.690 --> 42:07.030]  As an anti-privacy statute, effectively making it illegal to circumvent copy protections designed to prevent pirates from duplicating digital copyrighted works and selling or freely distributing them.
[42:07.030 --> 42:13.150]  It also makes it illegal to manufacture or distribute tools or techniques for circumventing copy controls.
[42:13.150 --> 42:24.630]  But in reality, the controversial law and facts have been much broader by allowing game developers, music and film companies, and others to keep a tight control on how consumers use their copyrighted works.
[42:24.630 --> 42:34.990]  Preventing them, in some cases, from making copies of their purchased products for their own use or from jailbreaking smartphones and other devices to use them in ways the manufacturer disliked.
[42:34.990 --> 42:45.150]  The thing you should note about this is that it just, overall, it just seems like it's so out of date once again.
[42:45.150 --> 42:51.950]  And it's so frustrating to see that there hasn't really been anything else on this overall.
[42:51.950 --> 43:06.250]  But when it does, it also prevents finding any research on it or finding if there are issues already within the product because apparently you might be actually dealing with that type of case.
[43:06.710 --> 43:15.390]  It protects more of the big companies and reduces consumer protection, which is what ethical hackers are all about, is protecting the consumer.
[43:15.710 --> 43:20.650]  It also puts a hold on free expression and it does interfere with computer intrusion laws.
[43:20.650 --> 43:25.830]  I do recommend reading the public comments, especially groups one through three.
[43:25.930 --> 43:28.110]  There is a link right there.
[43:29.150 --> 43:30.610]  Next slide, please.
[43:34.330 --> 43:39.470]  In general, with the improvements to legislation, we can change where we stand today.
[43:39.470 --> 43:48.110]  But in order to do that, we have to dive into three categories in which we have touched on because they work together to bring about a public change.
[43:48.170 --> 43:49.610]  Next slide, please.
[43:54.060 --> 43:58.240]  Overall, in order to have rights for hackers, we need to get the public on board.
[43:58.240 --> 44:01.380]  In order to do so, we need to dive into these three categories.
[44:01.700 --> 44:05.400]  We need the media to push for the public to become more aware.
[44:05.500 --> 44:13.420]  In other words, we need to change the language and imagery of a hacker and start using the term cyber criminals for those who commit unethical hacking.
[44:13.460 --> 44:19.320]  Overall, really separate these two groups because they are definitely separated on this.
[44:19.320 --> 44:26.560]  In order to help the press, organizations need to be on board with a bilateral trust with having moderate disclosure programs.
[44:26.860 --> 44:36.780]  By initiating a VDP program or putting contact information and following up with the researchers that do report, it's showing that you support the hackers and the community.
[44:36.880 --> 44:44.560]  And this is what is needed also because when the public starts seeing that, then the public slowly changes their view in general.
[44:44.560 --> 44:47.720]  And then we can actually build trust now.
[44:47.720 --> 44:57.560]  And lastly, to have organizations and public opinion to push and motivate Capitol Hill to get on board and update the current legislation that will protect ethical hackers.
[44:57.640 --> 45:01.540]  Overall, we need all three to be supporting hacker rights for it to become a reality.
[45:01.660 --> 45:02.960]  Next slide, please.
[45:05.890 --> 45:11.590]  So now you're probably wondering, so how do we get there exactly?
[45:12.170 --> 45:13.710]  Next slide, please.
[45:17.450 --> 45:22.830]  Overall, we need these five needs to push for awareness of ethical hackers.
[45:22.830 --> 45:24.410]  These are the five needs to get there.
[45:24.410 --> 45:27.970]  Now, how we get there, I need you to be honest.
[45:27.970 --> 45:30.010]  I can't be doing this all by myself.
[45:30.010 --> 45:31.990]  We need to work together more than ever.
[45:31.990 --> 45:34.330]  And we actually have a shot at it now.
[45:35.490 --> 45:38.650]  And I'm going to dive into each one of these needs next.
[45:38.770 --> 45:40.090]  Next slide, please.
[45:44.130 --> 45:45.870]  So the first step.
[45:45.870 --> 45:49.590]  This is a petition that I wrote at the end of RSA.
[45:49.590 --> 45:55.250]  I gave a talk about basically how we need to get rights for hackers.
[45:55.250 --> 46:05.390]  And this petition was created in a way so then we can get the public to be aware and get the public to sign it and really help us try to bring about a change.
[46:05.470 --> 46:10.370]  And the best thing that you can do at this very moment is to sign and share this petition.
[46:10.370 --> 46:14.590]  It is broken down by orgs, legislators, the media, the hacker community.
[46:14.870 --> 46:21.210]  And anyone who can sign it can basically... anyone who agrees with it can sign it, in other words.
[46:21.210 --> 46:24.310]  And it's really important that we do this because this is the first step.
[46:24.310 --> 46:27.370]  How you get attention from the public is a petition.
[46:27.550 --> 46:34.290]  These petitions can be used next to go to politicians and show them that this is what's needed.
[46:34.290 --> 46:41.390]  It can also be adopted by other companies saying that they support this type of work as well.
[46:41.390 --> 46:49.290]  And we get basically the press involved too by noticing that all these different players are wanting for something to change.
[46:49.870 --> 46:53.690]  Next step, please. And by next step, I mean next slide.
[46:54.930 --> 47:01.510]  So there is this collaboration that's happening right now with Brian and myself.
[47:01.510 --> 47:06.910]  I hope you guys probably saw this video trending on Twitter this week.
[47:06.910 --> 47:15.010]  Basically showcasing what people generally think what a hacker looks like and what they do versus what it looks like actually in real life.
[47:15.010 --> 47:17.590]  It's actually hilarious and I hope you guys catch it.
[47:17.590 --> 47:21.450]  If not, it is on my page and I recommend it.
[47:21.450 --> 47:30.250]  But also check out the Hacking is Not a Crime itself, the Twitter handle, because you will also find those things.
[47:30.250 --> 47:42.870]  But in general, what Hacking is Not a Crime, what it's about is to try to push out public awareness and for them to have a better understanding of what we mean by that.
[47:42.870 --> 47:46.690]  Hacking is not a crime, okay? Let's just remind ourselves this.
[47:46.790 --> 47:52.830]  One of the other things you could do is to share this with friends and family to share your personal stories.
[47:52.830 --> 48:02.670]  But overall, the general mission for Hacking is Not a Crime is to bring awareness for the community and for the community to feel like that they are being listened to as well.
[48:02.670 --> 48:07.590]  And we have to work together as a community whole to get the public to be involved.
[48:08.770 --> 48:12.690]  And yeah, there's so many more things I could talk to you about this thing.
[48:13.170 --> 48:16.270]  It's actually the handle is Hack Not Crime.
[48:16.270 --> 48:19.450]  Thank you, Brian, for reminding me of this.
[48:19.450 --> 48:21.790]  Next slide, please.
[48:25.870 --> 48:32.810]  All right, the next step is we need to remind people the difference between a hacker versus a criminal and attacker.
[48:32.890 --> 48:36.810]  I usually tend to use this phrase, which is a locksmith.
[48:36.810 --> 48:42.890]  Say a locksmith is a hacker. A burglar is the criminal attackers that are kind of a malicious actor.
[48:43.130 --> 48:46.570]  This is actually the easiest way for people to understand the differences.
[48:46.570 --> 48:53.950]  So I do recommend it. So remember, locksmith equals hacker. Burglar equals criminal attacker. So criminal malicious actor.
[48:53.950 --> 48:56.430]  Anyway, it's really good thing to take away from it.
[48:56.470 --> 48:59.610]  Now, the thing to note about what do you mean by tell the press?
[48:59.790 --> 49:06.710]  So whenever I'm talking to the press about a breach or anything like that, and when they're saying, so what did this hacker do exactly?
[49:06.710 --> 49:10.590]  I'm like, I correct them. I say, you mean attacker.
[49:11.090 --> 49:12.850]  And there's a reason for that.
[49:12.850 --> 49:22.670]  We have to start correcting the press when we talk to them on when it comes to how they're labeling the people that are in the store that are doing negative things.
[49:22.670 --> 49:26.250]  The other thing you can do is simply shame them online.
[49:26.250 --> 49:37.010]  I know that sounds really bad to do, but on LinkedIn, on Twitter, basically publicly shaming them, reminding them once again, this is not a hacker that caused a breach.
[49:37.010 --> 49:42.090]  It was an attacker, or you could use the term cyber criminal if you want, or malicious actor.
[49:42.750 --> 49:44.630]  You get to pick which one you want to use.
[49:44.630 --> 49:47.210]  But the thing is, we have to let them know they got it wrong.
[49:47.490 --> 49:55.730]  Also, when it comes to images, if they show us another image of someone wearing a hood underneath, I don't know, in the basement or something.
[49:55.730 --> 50:00.670]  I think we need to start telling them, no, that's not, no, no.
[50:00.670 --> 50:04.270]  Actually, we could be in a cafe scene right next to you doing what we do.
[50:04.270 --> 50:10.550]  Anyway, it's just the thing is we have to showcase that they are wrong here at this point in time.
[50:10.750 --> 50:17.070]  So those are going to be the best thing is to fact check them, basically, and remind them they have it wrong until they learn.
[50:17.210 --> 50:21.410]  So I do recommend that, and that needs all of us in the community to do that.
[50:21.830 --> 50:25.350]  I think the person who started really doing that was Chris Roberts.
[50:25.350 --> 50:32.150]  He started being like, you got it wrong. That's a cyber criminal, not a hacker. This is a hacker.
[50:32.670 --> 50:38.030]  Also, Casey Ellis does that, too, as well. I try my best to do it, as well.
[50:38.030 --> 50:43.290]  So if you do have any of those cases, please let them know, share them online if you need to.
[50:43.850 --> 50:47.950]  Next step. Next slide, that is.
[50:48.750 --> 50:53.870]  All right, so the third step, what we need to do is push for organizations to partner and campaign with us.
[50:53.870 --> 51:00.710]  So remember that petition? Basically, we need organizations to get involved more by pushing out, saying, like,
[51:00.710 --> 51:06.330]  this is the reason why they have a VDP program, or this is why we trust the hacker community.
[51:06.370 --> 51:12.890]  This is why we need to do these things, because they need the hacker community to stay safe.
[51:13.230 --> 51:16.290]  Also, to push for organizations to have a disclosure program.
[51:16.290 --> 51:24.830]  So if a company doesn't have one, and you're working out one that doesn't have one, it's time to basically let them know they need to change that.
[51:24.830 --> 51:31.570]  Because having voluntary disclosure programs actually forces those more companies to do it themselves.
[51:31.570 --> 51:41.870]  So we want that Forbes list of companies to all have a program, because that means that we are definitely moving forward a lot faster.
[51:42.550 --> 51:44.510]  Next slide, please.
[51:46.930 --> 51:54.270]  The fourth step. Now, you need to contact your local representatives to update current legislation.
[51:54.270 --> 52:00.050]  You need to talk to local ones. That means, you know, your city, your county, your state.
[52:00.490 --> 52:09.150]  And the reason for that, once again, the actors that you need to be more concerned about these days are states and companies themselves prosecuting hackers.
[52:09.350 --> 52:14.790]  So it's really important to let them know that things are out of date, and it's time for you to do something about it.
[52:14.790 --> 52:23.530]  And let me tell you why. But the point, how you learn how to tell them why they need to change it, is find out what are the things that they're passionate about.
[52:23.530 --> 52:28.870]  What are the basically the things that they want to fix in their own community?
[52:28.950 --> 52:40.630]  If they're passionate about, say, for example, social media, tell them why it's important to work with hacker community when it comes to social media.
[52:40.630 --> 52:49.130]  Tell them why it's important to do so, because with the CFA, you might face the following other situations.
[52:49.130 --> 52:58.050]  Basically, you want to find whatever they're interested in, get them connected, because you're doing a bilateral kind of conversation, right?
[52:58.050 --> 53:04.870]  Find out what their passions, their weaknesses are, and then utilize that to help your cause too.
[53:04.870 --> 53:08.790]  So you both are ending the conversation with both feeling like you're winning.
[53:08.790 --> 53:15.770]  And that's the way how you do things. If you want to practice diplomacy, that is the way you should do diplomacy.
[53:15.770 --> 53:18.670]  So that's the most important thing.
[53:19.350 --> 53:25.850]  And yes, you need to know who your local representatives are. If you don't know who they are, this is the time to do so.
[53:26.710 --> 53:32.830]  Also, follow the Van Buren and United States case. That is actually very important to do.
[53:33.470 --> 53:38.790]  Next slide. And I'll tell you, if you haven't heard about this case, why it's important.
[53:38.790 --> 53:47.510]  So basically, a former Georgia police officer was wrongly convicted under this notoriously vague, you know, CFA.
[53:47.510 --> 53:59.030]  So Computer Fraud Abuse Act is back, right? And basically what happened is, is that the person has gone to the Supreme Court to re-look over the CFA.
[53:59.310 --> 54:07.750]  Because what was happening was that Nathan Van Buren was accused of taking money in exchange for looking up a license plate in a law enforcement database.
[54:07.750 --> 54:17.410]  He was convicted of violating the CFA because he allegedly used that database for an improper purpose, even though it was a database that he was allowed to access for work purpose.
[54:17.410 --> 54:27.450]  Under this expansive interpretation of the CFA, it would be considered a federal crime any time a person violates a website's term of services.
[54:27.450 --> 54:36.390]  If violating terms of services is a crime, private companies get to decide who goes to prison and for what, and putting us all at risk for everyday online behavior.
[54:36.390 --> 54:45.550]  And so this case is actually going in the fall to the Supreme Court, and the CFA is going to be talking about this.
[54:46.390 --> 54:50.530]  All right. Next one. Next slide, that is.
[54:52.330 --> 54:57.150]  The fifth step. These are some great organizations that can use your support.
[54:57.150 --> 55:03.670]  If that means volunteering, if that means donating, if that means anything, just contact them and find out how you can help them out.
[55:03.670 --> 55:09.370]  It's super, super important. All right. So, I Am The Calvary is a great one.
[55:09.370 --> 55:16.070]  It has been having conversations with representatives since, I think, 2013, 2014.
[55:16.570 --> 55:20.950]  So, they've been pushing for things to change.
[55:21.050 --> 55:33.070]  Disclose.io, once again, is a great site to know what are the companies that are trying to practice some sort of bilateral trust agreement between the hacker community and the organization itself.
[55:33.070 --> 55:39.370]  Basically, if you're a part of Disclose.io, you have to state contact information.
[55:39.370 --> 55:57.470]  If you want to have a hacker basically disclose any information, their email addresses, what kind of rewards to expect, if there is any rewards, the policy link to their page that has to be following the Disclose.io RIN drafted policies to use.
[55:59.270 --> 56:06.330]  And then I think there's one more thing I'm forgetting about Disclose.io, but overall, do check it out. It is great.
[56:06.330 --> 56:11.790]  If your company is not listed on there, but they do practice these kind of things, I do recommend adding them to it.
[56:11.790 --> 56:20.750]  It is basically everyone in the community has participated by throwing it, whatever organization that they know is practicing these things and what to expect.
[56:20.750 --> 56:28.450]  And yes, it does talk about Safe Harbor. So just to let you know about that ahead of time.
[56:29.270 --> 56:41.410]  The other one to consider is CERT Coordination Center. So CERT CC is a great one. EFF, of course, and the CTI League, which is doing some phenomenal work right now during COVID-19.
[56:41.410 --> 56:44.390]  I highly recommend helping them out if you can.
[56:44.390 --> 56:47.370]  All right. Next slide, please.
[56:52.250 --> 56:59.850]  So overall, we need all these things to happen to have any type of awareness for ethical hackers.
[57:00.410 --> 57:05.450]  And how are we going to get there? It really is going to need your advice and your assistance, too.
[57:06.010 --> 57:16.730]  But what I have to tell you guys is, like, just don't give up yet. Just don't. It's going to get better. I promise you it will. This is the time where it's going to get better.
[57:16.730 --> 57:22.750]  Maybe not this year, but next year, I guarantee you it's going to be a lot of talk around it.
[57:22.890 --> 57:24.210]  Next slide, please.
[57:27.470 --> 57:34.510]  But most importantly, I just have one main takeaway from this entire conversation with you guys.
[57:34.630 --> 57:36.430]  Next slide, please.
[57:39.930 --> 57:44.210]  I want to remind you that the change starts with you and me.
[57:44.210 --> 57:48.250]  We must not give up. We must continue to fight for rights.
[57:48.650 --> 57:54.050]  And it's so important that we do that, because it's just not Aaron Swartz's life that we need to do this for.
[57:54.050 --> 57:56.930]  But there's so many other ones out there, too.
[57:57.150 --> 58:05.910]  It's about time that we do whatever we can as a community, as a whole, as a collective, to come together and to do these things.
[58:05.910 --> 58:10.110]  Because there are people working behind scenes, once again, for all these things.
[58:10.110 --> 58:19.650]  But when you have a crowd of hundreds and hundreds of people pushing for something to change, then things change.
[58:19.670 --> 58:25.510]  With numbers, things change. With pressure from numbers, things change.
[58:25.510 --> 58:29.750]  But we cannot get there unless we get all of us in this together.
[58:29.750 --> 58:36.130]  It doesn't mean the entire community, but we need at least a couple hundred of us to at least try to start changing things.
[58:36.130 --> 58:44.730]  And all those takeaways and things and steps to do that you can do at this moment, you have more of the ability of doing so.
[58:44.730 --> 58:46.970]  There should be nothing stopping you on this.
[58:46.970 --> 58:53.470]  So if you are bothered by these outdated laws, and you're tired of how the public has perceived you,
[58:53.470 --> 59:00.670]  and you feel like you are silenced at any sort of way because of the thing that you're passionate about,
[59:00.670 --> 59:04.850]  then you need to act, too. You need to take the actions.
[59:04.850 --> 59:10.210]  And if you feel uncomfortable or awkward about that, reach out to me. I am here for you.
[59:11.210 --> 59:12.850]  Next slide, please.
[59:16.350 --> 59:19.210]  All right, everyone. That is all my talk.
[59:19.210 --> 59:23.350]  So I'm looking forward to doing the Q&A, and I'll put my camera on for that.
[59:23.350 --> 59:31.210]  But I just want to say thank you guys so much for existing, for being who you are, and being part of this community.
[59:31.250 --> 59:36.610]  I really do appreciate it. Thank you to Ethics Village for having me do this talk.
[59:36.610 --> 59:44.610]  I want to give a special shout-out to Bo Woods and Harley Gager for providing further insight into the current situation
[59:44.610 --> 59:50.950]  so I was able to have a better understanding of what are things that I could be missing in the presentation.
[59:52.130 --> 59:56.630]  All right, I'll put my camera on, and I'm ready to take any questions that you guys may have.
[59:58.350 --> 01:00:03.230]  So everybody, thanks to Chloe, again, for that really amazing talk.
[01:00:03.230 --> 01:00:06.330]  That's something that I think is incredibly important.
[01:00:06.330 --> 01:00:13.930]  Moving forward, while back in the day, hacking and everything was very niche in the early days of computerism,
[01:00:13.930 --> 01:00:18.510]  I think more so nowadays, especially with all the breaches and things that are happening,
[01:00:18.510 --> 01:00:21.750]  it's something that we really need to take seriously.
